Pretty Park......Virus

[Guest guest]

Everything you need to know about this WORM and how to fix your computer. I

can not stressenough DO NOT EVER open ZIP files etc............Joanne

PrettyPark.Worm

Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV

Infection Length: 37,376

Area of Infection: C:\Windows\System, Registry, Email Attachments

Likelihood: Common

Detected as of: June 1, 1999

Characteristics: Worm, PrettyPark.EXE, Files32.VXD

Description

This is a worm program that behaves similar to Happy99 Worm. This worm

program was originally spread by email spamming from a French email address.

The attached program file is named " PrettyPark.EXE " . The original report of

this worm was submitted through our exclusive Scan & Deliver system on May 28,

1999 from France.

When the attached program called " PrettyPark.EXE " is executed, it may display

the 3D pipe screen saver. It will also create a file called FILES32.VXD in

the WINDOWS\SYSTEM directory and modify the following registry entry value

from " %1 " %* to FILES32.VXD " %1 " %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

Once the worm program is executed, it will try to email itself automatically

every 30 minutes (or 30 minutes after it is loaded) to email addresses

registered in your Internet address book.

It will also try to connect to an IRC server and join a specific IRC channel.

The worm will send information to IRC every 30 seconds to keep itself

connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information

including the computer name, product name, product identifier, product key,

registered owner, registered organization, system root path, version, version

number, ICQ identification numbers, ICQ nicknames, victims email address, and

Dial Up Networking username and passwords. In addition, being connected to

IRC opens a security hole in which the client can potentially be used to

receive and execute files.

Norton AntiVirus will detect PrettyPark.Worm as " Trojan Horse " with June 1,

1999 virus definitions. With the June 9, 1999 definitions or later, the worm

will be detected as " PrettyPark.Worm. "

Repair Information

Removing this worm manually:

Using REGEDIT, modify the Registry entry

HKEY_LOCAL_MACHINE\Software\Classes\exefile\

shell\open\command

from

FILES32.VXD " %1 " %* to " %1 " %*

(You may launch REGEDIT through Windows Start-menu-RUN. Then search for

" FILES32.VXD " in REGEDIT.)

Delete WINDOWS\SYSTEM\FILES32.VXD

Delete the " Pretty Park.EXE " file.

Reboot your computer.

You need to do step #1 above; otherwise, executable files may not run

properly if you simply delete FILES32.VXD

Safe Computing

This worm, and other trojan-horse type programs, demonstrate the need to

practice safe computing. You should not launch any executable-file attachment

(EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or

newsgroup source. These files should always be scanned by Norton AntiVirus,

using the latest virus definitions.

Norton AntiVirus users can protect themselves from PrettyPark.Worm by

downloading the current virus definitions either through LiveUpdate or from

the following web page:

http://www.symantec.com/avcenter/download.html ++(READ THIS }++

Write-up by: K. Elnitiarta & Chien

June 1, 1999

Updated: June 9, 1999

<A HREF= " http://www.symantec.com/avcenter/venc/data/prettypark.worm.html " >Pr

ettyPark.Worm</A>

http://www.symantec.com/avcenter/venc/data/prettypark.worm.html

[Guest guest]

Joanne,

Thanks as always for the good information. This ugly " pretty " virus has

been a sobering experience for all of us and I'll bet anti-virus programs

are zooming!

Take care,

Geri